Cisco SD-WAN Solution vManage Stored Cross-Site Scripting Vulnerability
Description
A vulnerability in the web UI of the Cisco SD-WAN vManage software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the vManage software. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cisco SD-WAN vManage web UI contains a stored XSS vulnerability allowing authenticated remote attackers to execute script code via crafted link.
Vulnerability
The Cisco SD-WAN vManage software web-based management interface contains a stored cross-site scripting (XSS) vulnerability due to insufficient validation of user-supplied input. An authenticated, remote attacker can exploit this by persuading a user to click a crafted link. The vulnerability affects versions prior to 19.2.2 [1].
Exploitation
An attacker must have authenticated access to the vManage instance. The attacker crafts a malicious link containing the XSS payload and convinces a legitimate user to click it. The payload is stored on the server and executed when other users view the affected page, leading to persistent script execution [1].
Impact
Successful exploitation allows the attacker to execute arbitrary script code in the context of the victim's browser session. This can lead to disclosure of sensitive browser-based information, session hijacking, or unauthorized actions performed on behalf of the victim [1].
Mitigation
Cisco released a fix in vManage software Release 19.2.2. Customers should upgrade to this or a later version. No workarounds are documented in the advisory [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: n/a
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200318-vmanage-xssmitrevendor-advisoryx_refsource_CISCO
News mentions
0No linked articles in our index yet.